6.1.1.3.2.15. linotp.lib.ocra module¶
‘ocrasuite’ in unit tests:
OcraSuite-1:HOTP-SHA1-6:QN08 OcraSuite-1:HOTP-SHA256-8:QA08 OcraSuite-1:HOTP-SHA256-8:QN08-PSHA1
OcraSuite-1:HOTP-SHA512-8:C-QN08 OcraSuite-1:HOTP-SHA256-8:C-QN08-PSHA1
OcraSuite-1:HOTP-SHA512-8:QN08-T1M OcraSuite-1:HOTP-SHA512-8:QA10-T1M
When computing a response, the concatenation order is always the following:
C | OTHER-PARTY-GENERATED-CHALLENGE-QUESTION | YOUR-GENERATED-CHALLENGE-QUESTION | P| S | T
If a value is empty (i.e., a certain input is not used in the computation) then the value is simply not represented in the string.
The counter on the token or client MUST be incremented every time a new computation is requested by the user. The server’s counter value MUST only be incremented after a successful OcraSuite authentication.
CLIENT SERVER
- (PROVER) VERIFIER)
|<—————————————| | | | Prover Computes Response | | R = OcraSuite(K, {[C] | Q | [P | S | T]}) | | Prover sends Response = R | |—————————————>| | | | Verifier Validates Response | | If Response is valid, Server sends OK | | If Response is not, Server sends NOK | |<—————————————| | |
CLIENT SERVER
- (PROVER) (VERIFIER)
|————————————————->| | | | 2. Server computes server-response | | and sends server-challenge | | RS = OcraSuite(K, [C] | QC | QS | [S | T]) | | QS = Server-challenge | | Response = RS, QS | |<————————————————-| | | | 3. Client verifies server-response | | and computes client-response | | OcraSuite(K, [C] | QC | QS | [S | T]) != RS -> STOP | | RC = OcraSuite(K, [C] | QS | QC | [P | S | T]) | | Response = RC | |————————————————->| | | | 4. Server verifies client-response | | OcraSuite(K, [C] | QS | QC | [P|S|T]) != RC -> STOP | | Response = OK | |<————————————————-| | |
- class linotp.lib.ocra.OcraSuite(ocrasuite, secretObject=None)[source]¶
OCRA-1:HOTP-SHA1-6:QN08 OCRA-1:HOTP-SHA256-8:QA08 OCRA-1:HOTP-SHA256-8:QN08-PSHA1
OCRA-1:HOTP-SHA512-8:C-QN08 OCRA-1:HOTP-SHA256-8:C-QN08-PSHA1
OCRA-1:HOTP-SHA512-8:QN08-T1M OCRA-1:HOTP-SHA512-8:QA10-T1M
- checkOtp(passw, counter, window, ocraChallenge, pin='', options=None, timeshift=0)[source]¶
check the given passw
Parameters: - passw – the otp to verified
- counter – the start counter from the token
- window – the range, within the counter should be checked
- challenge – the ocra challenge, which goes into the otp calculation
- pin – the ocra token pin
- options – support to identifies nonsequential otp verification
- timeshif – for timebased tokens we support time offsets
Returns: counter of match - otherwise -1
- combineData(C=None, Q=None, P=None, P_digest=None, S=None, T=None, T_precomputed=None, Qsc=None)[source]¶